summaryrefslogtreecommitdiffstats
path: root/net/can/isotp.c
diff options
context:
space:
mode:
authorOleksij Rempel <o.rempel@pengutronix.de>2021-05-21 13:57:20 +0200
committerMarc Kleine-Budde <mkl@pengutronix.de>2021-06-16 12:52:18 +0200
commit2030043e616cab40f510299f09b636285e0a3678 (patch)
treefd668a0e0799cb62026702c9278ed3a9e0e41537 /net/can/isotp.c
parentMerge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf (diff)
downloadlinux-2030043e616cab40f510299f09b636285e0a3678.tar.xz
linux-2030043e616cab40f510299f09b636285e0a3678.zip
can: j1939: fix Use-after-Free, hold skb ref while in use
This patch fixes a Use-after-Free found by the syzbot. The problem is that a skb is taken from the per-session skb queue, without incrementing the ref count. This leads to a Use-after-Free if the skb is taken concurrently from the session queue due to a CTS. Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Link: https://lore.kernel.org/r/20210521115720.7533-1-o.rempel@pengutronix.de Cc: Hillf Danton <hdanton@sina.com> Cc: linux-stable <stable@vger.kernel.org> Reported-by: syzbot+220c1a29987a9a490903@syzkaller.appspotmail.com Reported-by: syzbot+45199c1b73b4013525cf@syzkaller.appspotmail.com Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Diffstat (limited to 'net/can/isotp.c')
0 files changed, 0 insertions, 0 deletions